The timezone conversions that you specified (all incoming messages treated as -04:00 and then converted to -04:00 as written out), is a noop.
I don't understand why it's not logging as local time
without me having to
do anything. And I _really_ don't understand why the explicit instructions don't work.
Pounters in the the right direction appreciated...
When an incoming message specifies a timezone (which logger will not do by itself), syslog-ng uses that information to convert the time to UTC (e.g. GMT+0). If the message does not contain such information in the first place, it will _assume_ that it comes from the local timezone. The explicit timezone instructions only change this assumption.
If a program generates messages using an incorrect timezone (e.g. ssh, or in the case above logger), and it does _NOT_ include this timezone information in the message (which the legacy syslog protocol cannot do), then syslog-ng has no means to do anything without further information. What you can do however, is to force sshd to log to a different socket instead of /dev/log and associate a different recv_time_zone() to the source handling this different socket. This is not easy, as there's no means to override the /dev/log socket when using the syslog functions from libc (which sshd does).
So the easiest fix is to fix sshd.
I'll get right on that... :) Seriously, thanks for the detailed explanation - I know what's happening now, at least. It's Red Hat RHEL5, so it's as up-to-date as I'm going to get, but I'll at least let them know it's a problem. -- Tim Boyer Director IT and Engineering Projects Denman Tire Corporation